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Abstract.  In  this  paper  we  present  a  method  for  integrating  information  assur¬ 
ance  requirements  into  agile  and  rapid  technology  development.  This  integrated 
approach  advocates  involvement  of  the  information  assurance  expert  at  the 
onset  of  system  development  and  design— building  requirements  in  proactively. 
The  focus  is  on  collaboration,  continuous  monitoring,  and  leveraging  automated 
testing  for  formal  validation. 

Introduction 

As  “agile”  software  development  becomes  more  common 
in  government  and  industry,  it  poses  a  challenge:  integrating 
Information  Assurance  (IA)  into  system  requirements  and  the 
development  process.  How  do  we  take  a  gate-styled  serial 
process,  segment  it  into  increments,  and  then  integrate  it?  How 
do  we  move  IA  requirements  from  right  to  left  in  the  develop¬ 
ment  schedule,  instead  of  tacking  them  onto  the  end?  How  do 
we  document  that  process  incrementally  and  obtain  acceptance 
of  the  security  posture  by  the  approval  authority?  At  Marine 
Corps  Systems  Command,  the  Information  Assurance  Manage¬ 
ment  Team  supporting  Program  Manager  Marine  Intelligence 
has  developed  an  integrated  information-assurance  process, 
called  “agile  IA,”  to  address  these  issues  and  better  support  agile 
software  development. 
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Figure  1 :  Legacy  serial  process  of  system  development  and  preparation 


Typically,  legacy  certification  and  accreditation  practices  as¬ 
sess  IA  requirements  after  a  system  has  been  designed  and 
developed,  generally  through  serial  processes  that  prolong  the 
development  schedule.  This  results  in  reactionary  implementa¬ 
tion  of  security  configurations  and  creates  a  cascading  effect 
of  schedule  slips  and  unplanned  costs.  This  traditional  approach 
can  leave  both  technical  and  administrative  security  require¬ 
ments  inadequately  addressed.  It  frequently  overlooks  opera¬ 
tions  security— even  core  requirements  such  as  ensuring  that 
personnel  are  properly  cleared. 

Legacy  processes  involve  cycles  of  configuration  known  as 
system  “hardening.”  The  cycle  consists  of  scanning,  remediat¬ 
ing,  rescanning  and  reconfiguration,  in  multiple  iterations  whose 
goal  is  to  minimize  vulnerability.  The  baseline  must  be  main¬ 
tained  while  the  system  is  documented  and  formal,  Independent 
Verification  and  Validation  (IV&V)  is  conducted.  IV&V  likewise 
involves  cycles  of  activity  that  must  occur  while  other  processes 
are  accomplished  for  Certification  and  Accreditation  (C&A).  The 
combined  process  of  hardening  and  IV&V  can  take  anywhere 
from  1 2  to  24  months— occasionally  even  longer. 

Figure  1  depicts  the  average  legacy  serial  process  of  prepar¬ 
ing  a  system  for  obtaining  authority  to  operate.  Typically,  the  IA 
subject  matter  expert,  such  as  the  information-system  security 
manager  or  information  system  security  engineer,  is  called  into 
the  effort  at  step  3. 

The  goal  of  system  development  is  to  deliver  a  capabil¬ 
ity  to  an  end  user— in  the  case  of  the  U.S.  Marine  Corps,  to 
the  warfighter.  But  legacy  practices  delay  delivery,  and  for 
some  systems-such  as  intelligence  sensor  systems-delay  is 
itself  a  security  risk.  As  stated  in  a  recent  paper  by  the  SEI 
at  Carnegie  Mellon  University,  “the  information  assurance  ac¬ 
creditation  delay  is  so  extensive  (often  months  to  a  year)  that 
[the  gated  implementation  method  of]  the  DIACAP  process 
almost  negates  the  benefits  gained  through  rapid  development 
methods.”1 

Collaborate,  Integrate,  Automate 

The  integrated  or  “agile  IA”  approach  encourages  a  rapid, 
flexible  response  to  vulnerabilities  that  emerge  as  the  system 
is  developed.  The  key  difference  between  agile  IA  and  the 
legacy  approach  is  the  integration  of  security  at  the  onset  of 
system  development,  allowing  proactive  attention  to  require¬ 
ments.  The  IA  subject-matter  expert  is  involved  in  develop¬ 
ment  from  day  one,  and  is  part  of  the  agile  development  team, 
which  addresses  and  prioritizes  IA  requirements  during  sprint 
planning.  Automated  scanning,  which  includes  automated 
code-review  tools,  allows  the  expert  to  monitor  the  system 
continuously  as  it  is  being  developed.  As  security  requirements 
are  identified,  they  are  reported  in  the  information-technology 
security  plan  of  actions  and  milestones.  By  “baking”  security 
into  the  product,  agile  IA  reduces  security  risk  at  any  point 
in  development  and  minimizes  redundancy  in  the  hardening 
process.  Figure  2  reflects  the  cycle  of  continuous  monitoring 
and  proactive  remediation  and  tracking. 
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Figure  2  -  Continuous  monitoring  and  remediation 
tracking  process 


C&A  also  poses  the  usual  timeline  challenges.  In  the  agile 
approach,  artifacts  are  created  incrementally  as  the  system  de¬ 
velops.  IA  controls  are  documented  as  the  information  becomes 
available.  Documentation  is  limited  to  the  minimum  required  to 
satisfy  the  approving  authority  requirement  to  depict  the  system 
security  posture. 

Lastly,  and  more  significantly,  a  certified  validator  is  engaged 
to  leverage  the  results  of  the  continuous  monitoring  already  oc¬ 
curring  during  each  sprint.  This  enables  the  validator  to  leverage 
the  test  results  for  formal  validation  and  verification,  and  perform 
a  shortened  “hybrid”  style  of  IV&V.  The  formal  IV&V  event  is 
reduced  to  minimally  disruptive  administrative  checks  and  audits, 
obviating  the  intensive  auditing  that  typically  interrupts  system 
development.  System  development  is  allowed  to  continue  during 
the  IV&V  audit. 

Figure  3  depicts  how  continuous  monitoring  can  be  tracked  to 
reflect  the  changing  baseline  of  a  system  given  its  vulnerability 
findings.  Note  that  in  the  beginning  of  the  monitoring,  the  number 
of  findings  is  high.  As  the  system  is  developed  and  remediation 
occurs,  findings  are  reduced.  However,  fluctuations  in  the  base¬ 
line  should  be  expected  as  system  requirements  are  added. 
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Figure  3  -  Continuous  monitoring  scan  resuits  example 
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Conclusion 

Integration  of  security  configuration  requirements  at  initial 
stages  of  system  development  eliminates  the  legacy  practice 
of  reactionary  IA  implementation.  Introducing  IA  expertise  at 
the  onset  of  development  provides  a  more  holistic  approach  to 
identifying  and  implementing  security  requirements.  The  agile 
IA  approach  can  be  implemented  within  other  development 
methods  and  should  not  be  practiced  for  agile  development 
alone.  It  allows  an  incremental  and  controlled  approach  for  IA 
implementation  and  ensures  a  more  secure  posture  of  a  capa¬ 
bility  or  product  release.  Figure  4  depicts  a  sprint  timeline  with 
concurrent  activities  per  sprint  to  include  security  configuration, 
functional  testing,  continuous  monitoring,  formal  auditing,  and 
incremental  C&A  package  creation. 

Integrated  IA  will  reduce  the  schedule  slippage  and  un¬ 
planned  costs  that  are  inherent  when  IA  is  bolted  on  at  the 
end  of  system  development.  It  will  also  reduce  redundancy 
in  system-hardening  processes,  leverage  auditing  activity  for 
multiple  purposes,  and  produce  an  artifact  package  that  more 
quickly  depicts  the  system’s  security  posture.  More  importantly, 
it  will  ensure  that  capabilities  or  products  provided  to  the 
warfighter  are  less  vulnerable  to  exploitation.^ 
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Figure  4  -  Sprint  example  with  concurrent  integrated  activity 


